Recent changes in account creation

Message boards : News : Recent changes in account creation

To post messages, you must log in.

AuthorMessage
Profile TJM
Project administrator
Project developer
Project scientist
Avatar

Send message
Joined: 25 Aug 07
Posts: 843
Credit: 267,994,998
RAC: 0
Message 4068 - Posted: 24 Aug 2016, 12:44:25 UTC
Last modified: 24 Aug 2016, 12:46:31 UTC

As everyone may have already noticed, the project has been heavily hit by spammers. For the last weeks I've been fighting with up to 10k registrations per day, mostly just empty accounts which were created for unknown reasons (very few of them actually posted anything on forums or created profile/spam team).
I've been looking into possible ways to filter out the spammers right where they start (registration) and after looking at a few of possible solutions, I made a patch for the BOINC server to use StopForumSpam databases. For now, the server does not allow access to registration script from any IP listed in SFS db and it also refuses to create account with email address which is blacklisted there. This immediately filtered out more than 99,9% of new accounts, the rest is reviewed manually and eventually spammers that slipped through registration are reported back to the SFS.

There is also a daemon scriptwhich runs in background, randomly picking account and checking it against the blacklists, all accounts registered with blacklisted email address will be gone sooner or later together with any team and/or profile they have created (the script works very slowly, checking one account every few minutes, as I dont want to stress the SFS API which is a great free service).
The script won't touch anyone who has any credits or even hosts attached, so legitimate accounts should be safe even if someone has their email blacklisted.
M4 Project homepage
M4 Project wiki
ID: 4068 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
JLDun

Send message
Joined: 28 Jan 11
Posts: 4
Credit: 117,271
RAC: 0
Message 4072 - Posted: 26 Aug 2016, 2:32:36 UTC - in response to Message 4068.  

The script won't touch anyone who has any credits or even hosts attached, so legitimate accounts should be safe even if someone has their email blacklisted.

Good idea. (Even though it does lead me to wonder why someone would be on that list if they're active enough to have credit....)


As an aside: "I don't know if this is related, but...": I've notice that, while logged in, the forum now doesn't necessarily mark a thread as read after I click on it.
ID: 4072 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile TJM
Project administrator
Project developer
Project scientist
Avatar

Send message
Joined: 25 Aug 07
Posts: 843
Credit: 267,994,998
RAC: 0
Message 4076 - Posted: 26 Aug 2016, 12:32:56 UTC - in response to Message 4072.  
Last modified: 29 Aug 2016, 12:15:29 UTC

Good idea. (Even though it does lead me to wonder why someone would be on that list if they're active enough to have credit....)


Some of the emails used by spammers are probably stolen or just randomly used by spammers (BOINC projects do not verify emails by defaut*), so there is a slight chance that legitimate email will somehow end up on blacklists.


As an aside: "I don't know if this is related, but...": I've notice that, while logged in, the forum now doesn't necessarily mark a thread as read after I click on it.


Does that change if you hit F5 ?

[EDIT]
I think the board does not mark a thread as read if there were any posts removed from the thread, newer than the current last post (spam). It should be relatively easy to fix.

* - I'm considering another patch to the server, to add email validation / account activation for all new accounts by default. It won't stop spammers from registering, as they actually do check their garbage emails for links to click (checked that already). But it'll stop them from using stolen or random emails.
M4 Project homepage
M4 Project wiki
ID: 4076 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
JLDun

Send message
Joined: 28 Jan 11
Posts: 4
Credit: 117,271
RAC: 0
Message 4100 - Posted: 5 Sep 2016, 5:19:40 UTC - in response to Message 4076.  

Does that change if you hit F5 ?


I haven't checked since my last post (I've been away from here for a few days), but when I posted about it it took TWO refreshes for a thread to show as read. (I use a phone and a tablet, both Android based, for internet browsing. So more hitting a 'refresh button' vs using 'F5'. And this may imply a fault with Chrome at the time...)
ID: 4100 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
James Jadesword

Send message
Joined: 4 Nov 16
Posts: 3
Credit: 261,863
RAC: 0
Message 4159 - Posted: 6 Nov 2016, 9:59:30 UTC - in response to Message 4068.  
Last modified: 6 Nov 2016, 10:38:47 UTC

As everyone may have already noticed, the project has been heavily hit by spammers.

http://www.captcha.net/ can be used to help filter out bots as the volume you indicated strongly suggests bots setting up accounts. Since captcha is the main enemy of bot users, expect that the site will suffer distributed denial of service attacks.

https://www.cs.cmu.edu/~biglou/captcha_crypt.pdf gives a detailed explanation and more if you are comfortable with calculus.
ID: 4159 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
James Jadesword

Send message
Joined: 4 Nov 16
Posts: 3
Credit: 261,863
RAC: 0
Message 4160 - Posted: 6 Nov 2016, 12:33:09 UTC - in response to Message 4068.  

the rest is reviewed manually

I just looked at the team list and found that the majority have zero total credit, zero members, and zero recent average credit. I have also noticed many duplicate names. How long is "recent"? Do you have creation dates for the teams? Is there a way to get in touch with the creator of the teams?

I would suggest getting in touch with the team creator if there is a total credit and no recent average credit for ninety days. If there is no reply in thirty days, delete the team. I also suggest giving a specific date and time with UTC as the time zone to avoid any misunderstanding as to the deadline.

I would suggest deleting all teams with zero members as they are obviously abandoned.

I would suggest deleting all teams with zero total credit ninety days after creation.

These are just suggestions which you may use, modify, or not use as you wish.

Please note that DHCP (Dynamic Host Configuration Protocol) IP (Internet Protocol) addresses can be changed. In the past, when I had a change of IP address when I logged into my ISP (Internet Service Provider) and found that it was on a black-list, I forced an IP address change, no more problems. VPN (Virtual Private Networks) and proxy services may serve the same purpose. Emails are even easier as most services will allow as many email addresses as you may wish to create. Hacked emails are also a problem.
ID: 4160 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Profile danq
Avatar

Send message
Joined: 16 Dec 07
Posts: 53
Credit: 12,788,122
RAC: 0
Message 4164 - Posted: 6 Nov 2016, 21:13:02 UTC - in response to Message 4160.  
Last modified: 6 Nov 2016, 21:13:49 UTC

I just looked at the team list and found that the majority have zero total credit, zero members, and zero recent average credit. I have also noticed many duplicate names. How long is "recent"? Do you have creation dates for the teams? Is there a way to get in touch with the creator of the teams?


It's possible that people left the project (or didn't give it a chance) because they think we're still working on the third message we solved in 2013, and have never used the forums (which would tell them about the fourth and fifth messages). If we are contacting team members, we should inform them of the fifth message we are currently working on, since from the occasionally updated project news page, they would have no idea. Then they can inform team members, which could increase participation.
-Dan Q

danq.co

ID: 4164 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote
Sir Thomas W. Kilburn

Send message
Joined: 27 Jun 15
Posts: 1
Credit: 170,725
RAC: 0
Message 4231 - Posted: 12 Jan 2017, 11:50:45 UTC - in response to Message 4068.  

I had the same problem. I had to go through manually cleaning up my two teams. I now do not allow any new members.
ID: 4231 · Rating: 0 · rate: Rate + / Rate - Report as offensive    Reply Quote

Message boards : News : Recent changes in account creation




Copyright © 2024 TJM